PANDA Banker Malware Attacks Bank Institutions, Cryptocurrency Trading Platforms, and Social Media

PANDA Banker Malware

Security company F5 recently released a report saying that hackers use PANDA Banker malware to frequently attack banking institutions, encrypt currency trading platforms, and social media.

We analyzed four campaigns that were active between February and May of 2018. The three May campaigns are still active at the time of this writing. Two of the four campaigns are acting from the same botnet version but have different targets and different command and control (C&C) servers. Panda is still primarily focused on targeting global financial services, but following the worldwide cryptocurrency hype, it has expanded its targets to online cryptocurrency exchanges and brokerage services. Social media, search, email, and adult sites are also being targeted by Panda. The Panda configuration we analyzed from February was marked as botnet “onore2.” This campaign leverage the same attack techniques as previously described, and it is able to keylog popular web browsers and VNC in order to hijack user interaction session and steal personal information.

The main feature of PANDA Banker is the theft of accounts and credentials, and the use of “man in the browser” to steal victim’s property. F5 stated that PANDA Banker continued its attacks against Japanese companies and that financial institutions in the United States, Canada, and Latin America were not spared. The report shows that PANDA Banker initially only attacked global financial services, but with the global cryptocurrency boom, online cryptocurrency trading services have become the target of PANDA Banker. Social media, search sites, e-mail, and even adult sites are all likely to be used for mining.

F5 concludes “This act of simultaneous campaigns targeting several regions around the world and industries indicates these are highly active threat actors, and we expect their efforts to continue with multiple new campaigns coming out as their current efforts are discovered and taken down.”